21 Jun Build cookie-to-token converter on Google API Gateway
Build cookie-to-token converter on Google API Gateway
During this internship, you will develop a framework on Google’s API Management platform to manage access tokens for a web client. The relationship between the API Management platform and the client application(s) will be maintained with standard cookies. So basically, you will develop a cookie to access token “converter”. Some sort of “cookie monster” if you prefer that term.
The development will not be done with standard programming languages, but by leveraging the built-in building blocks, the so-called “policies”, of the API Management platform. Primary platform that you will be learning and using is the Apigee API Management platform of Google. If time allows (e.g. 2 students), we may opt to implement the solution on a 2nd API Management platform (IBM, WSO2 …).
This question is largely related to the discussion on the use of “public” OAuth client applications that cannot keep secrets vs. the use of confidential clients that can keep secrets. With confidential clients, the Authorization Server is also assured that it is talking to the right client application.
A standard approach is to introduce a Back-end For Front-end (BFF), an extra server component that manages the communication between the web client on the one hand and the communication with the back-end API’s on the other hand. But that BFF we want to avoid and implement with the API gateway instead.
So in this internship you’ll design and develop a solution on the Google Apigee API Gateway to maintain web browser sessions with cookies while the API Gateway manages the access tokens on behalf of the web clients.
The approach is partially inspired by the book “API Security in Action”.
Ultimate goal is to open source your work and share it via GitHub with the Apigee community and publish an article about it.
What you will learn
- Applying API Security in a real-life context
- Working with API Management platform, Apigee from Google in particular
- API Security in detail: OAuth2 & OpenID Connect
- Low(er)-code software development (no standard programming)
Who should apply?
- You are a student who’s not afraid of a challenge
- You are eager to learn new technologies
- You’re able to work independently
- You understand REST API’s in context of web browsers
- You have basic API Security knowledge